I Passed TryHackMe SAL1 First Attempt 941/1000 — Review, Exam Strategy & Tips
ryHackMe SAL1 first attempt pass — 941 out of a required 750, learning path at 69% complete, and a full breakdown of the strategy that made every report score 96-100/100.
I'll be upfront — I came in with BTL1 and CDSA already done, so this isn't a "anyone can skip the prep" take. But if you're a hands-on learner who struggles with structured content, this review is for you. I cover the full exam experience across both labs, the reporting template I built before the clock started, why investigation beyond the alert ticket matters even when it technically isn't required, and the escalation edge case that cost me points despite making the correct call by the written rules.
What I cover in this one:
— Why the learning path sat at 69% for months and why that's okay for certain learners
— The 5W reporting template that scored 96-100/100 on every report
— Lab 1 vs Lab 2 — what I did differently and why it mattered
— The alert spawning strategy (spawn, walk away, come back at the hour mark)
— Escalation ambiguity — when following the rules exactly still costs you points
— Honest feedback on the exam design and where it could go deeper
— Whether SAL1 is worth it for the Australian market
📝 Full written review → https://inksec.io
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SAL1 #TryHackMe #SOCAnalyst #BlueTeam #Cybersecurity #SAL1Review #CertReview #IncidentResponse #AlertTriage #CyberSecurityJourney #Melbourne #InfoSec #BlueTeamSecurity #ThreatHunting #SIEM #BTL1 #CyberDefenders #btlo
Alert Reporting
Provide a clear and detailed explanation of the reason why the activity is classified as TP or FP
Clearly explain why the alert requires escalation and which remediation actions may be required
Specify the entities associated with the activity detected by the alert
Identify who or what was affected
Indicate where the activity occurred
Clarify when the activity took place
Provide all IOCs associated with the activity:
Network Indicators: IP addresses, Ports, Domains, URLs, etc.
Host Indicators: File Names, File Paths, Hashes, Signatures, etc.
Specify which goals the threat actor attempted to achieve
(Optional) Specify which MITRE techniques or tactics the activity can be related to
Alert Report — [ALERT NAME]
This activity is classified as a [True Positive / False Positive] due to [brief reason].
[Description of the detected activity — what happened, what was targeted, what system/environment was involved.]
This IP [is/is not] flagged as malicious on [threat intel source]. The activity targeted [username/account/asset].
This activity started at [TIME] on [DATE]. [Describe the progression of events — e.g. number of attempts, outcome, successful login or not.]
[Escalation statement if TP — e.g. "Immediate escalation is required as unauthorized access was detected."] [Recommended remediation actions — e.g. account lockout, password reset, block IP.]
[If FP — explain why it's benign. Note any context like known IP, expired password, legitimate user behaviour, etc.] No anomalies were found.